collavre 0.20.3 → 0.22.0

data/app/channels/collavre/agent_channel.rb

@@ -0,0 +1,205 @@
+# frozen_string_literal: true
+
+module Collavre
+  class AgentChannel < ApplicationCable::Channel
+    # Heartbeat for Claude Channel presence rows. Fires for every subscription,
+    # but touch_presence is a no-op unless this connection registered a presence
+    # row (agent_id subscribe by a Claude Channel agent), so topic/legacy/non-
+    # Claude subscribers pay only an idle timer.
+    periodically :touch_presence, every: AgentSubscription::HEARTBEAT_SECONDS
+
+    # Subscribes to an agent stream for real-time dispatch notifications.
+    # Accepts either:
+    #   - agent_id: per-agent stream — used by MCP plugin clients (Claude
+    #     Channel) so they receive every dispatch routed to the agent, no
+    #     matter which topic triggered it. Authorized by created_by ownership.
+    #   - topic_id: per-topic stream — legacy/UI listeners scoped to one topic.
+    def subscribed
+      return reject unless current_user
+
+      if params[:agent_id].present?
+        subscribe_to_agent_stream
+      elsif params[:topic_id].present?
+        subscribe_to_topic_stream
+      else
+        reject
+      end
+    end
+
+    # When the MCP process crashes or the WebSocket drops before the plugin
+    # can call DELETE /api/v1/agent/:id, a Claude Channel session would
+    # otherwise stay matchable (routing_expression: "true") and any future
+    # comment on a creative still shared with the agent would dispatch into an
+    # empty stream — delegated work that only clears via stuck recovery.
+    #
+    # One shared agent can have MANY concurrent sessions, so routing is gated
+    # on PRESENCE: this session drops its own AgentSubscription row, and
+    # routing is cleared only when NO rows remain. A still-live sibling session
+    # keeps its row, so routing stays active and its in-flight work is never
+    # cancelled. Done under the agent's row lock so a concurrent subscribe on
+    # the same agent serializes (no clear-vs-activate race).
+    #
+    # Cross-process / late unsubscribe: the row was keyed by this connection's
+    # own @subscription_token. A stale unsubscribe whose row was already
+    # removed (newer subscribe took over, or a different Puma/Kamal process)
+    # deletes zero rows and becomes a no-op — required for scaled deployments
+    # (WEB_CONCURRENCY > 1, Solid Cable).
+    def unsubscribed
+      return unless @session_agent && @subscription_token
+
+      cleared = false
+      dropped_session_id = nil
+      @session_agent.with_lock do
+        scope = AgentSubscription.where(agent_id: @session_agent.id, token: @subscription_token)
+        # Capture the dropped session's id before deleting its row so a live-
+        # sibling exit can still scope a cleanup to this session's own topic.
+        dropped_session_id = scope.pick(:session_id)
+        deleted = scope.delete_all
+        # Stale: our presence row is already gone. The live owner's lifecycle
+        # owns routing — do not clobber it, do not schedule cancellation.
+        if deleted.zero?
+          dropped_session_id = nil
+          next
+        end
+
+        # Drop crash-orphaned sibling rows (a Puma/ActionCable process that
+        # died without firing unsubscribed) before reading presence, so a dead
+        # row cannot masquerade as a live sibling and pin routing on forever.
+        AgentSubscription.reap_stale!(@session_agent.id)
+
+        # Another session is still LIVE on this shared agent. Keep routing
+        # active; whichever session unsubscribes last clears it.
+        next if AgentSubscription.live.where(agent_id: @session_agent.id).exists?
+
+        @session_agent.update_columns(
+          routing_expression: nil,
+          routing_subscription_token: nil
+        )
+        cleared = true
+      end
+
+      if cleared
+        # Reconnect-grace cancellation (last session): clearing routing only
+        # makes the agent unroutable. Any task already "delegated" still holds
+        # its ResourceTracker slot — the dispatch was broadcast to a now-dead
+        # stream so no client remains to call /reply, and the slot would stay
+        # held until StuckDetectorJob times out. The job cancels those tasks
+        # after a grace window, but only if the agent is still offline (it
+        # rechecks routing_expression AND that no session has resubscribed).
+        CancelOfflineDelegatedTasksJob
+          .set(wait: CancelOfflineDelegatedTasksJob::GRACE_SECONDS.seconds)
+          .perform_later(@session_agent.id, @subscription_token)
+      elsif dropped_session_id.present?
+        # A live sibling keeps the shared agent routable, so we must NOT clear
+        # routing or sweep agent-wide. But this dropped session's OWN session
+        # topic is private to it — siblings filter session_topic dispatches to
+        # their own topic, so none will /reply to a task delegated there and it
+        # would hold its slot until stuck recovery. Schedule a grace-delayed,
+        # session-scoped cancellation (skipped if this same session reconnects
+        # within the window), mirroring the destroy path's cancel_tasks_for_topic.
+        CancelOfflineDelegatedTasksJob
+          .set(wait: CancelOfflineDelegatedTasksJob::GRACE_SECONDS.seconds)
+          .perform_later(@session_agent.id, @subscription_token, dropped_session_id)
+      end
+    rescue ActiveRecord::StatementInvalid => e
+      Rails.logger.warn("[AgentChannel] unsubscribed presence clear failed: #{e.message}")
+    end
+
+    # Pull-on-resubscribe replay (Codex P2): after every (re)subscribe the plugin
+    # sends the permission request_ids it still holds pending, and the server
+    # re-broadcasts the recorded decision for exactly those ids. A decision
+    # broadcast once into the transient agent:user:<id> stream while the plugin's
+    # WebSocket was down would otherwise be lost (action_executed_at already
+    # stamped, buttons hidden), hanging the suspended tool with no retry path.
+    # The plugin's pending set is the sole bound — there is no wall-clock window,
+    # so an outage of any length is covered, and a decision already consumed is
+    # never requested. Idempotent: the plugin's coordinator drops any id it no
+    # longer holds. Gated on @session_agent so only a Claude Channel agent
+    # subscription (where stream_from agent:user:<id> is attached) can pull.
+    def replay_permissions(data)
+      return unless @session_agent
+
+      Comment.replay_claude_channel_permission_decisions_for(
+        @session_agent.id,
+        data["request_ids"]
+      )
+    end
+
+    # Broadcast an arbitrary payload to a topic's agent stream.
+    def self.broadcast_to_topic(topic_id, payload)
+      ActionCable.server.broadcast("agent:topic:#{topic_id}", payload)
+    end
+
+    # Broadcast to a per-agent stream so the agent's MCP plugin receives the
+    # dispatch regardless of which topic triggered it.
+    def self.broadcast_to_agent(agent_id, payload)
+      ActionCable.server.broadcast("agent:user:#{agent_id}", payload)
+    end
+
+    private
+
+    def subscribe_to_topic_stream
+      @topic = Topic.find_by(id: params[:topic_id])
+      return reject unless @topic
+
+      creative = @topic.creative&.effective_origin
+      return reject unless creative&.has_permission?(current_user, :read)
+
+      stream_from "agent:topic:#{@topic.id}"
+    end
+
+    def subscribe_to_agent_stream
+      agent = User.find_by(id: params[:agent_id])
+      return reject unless agent&.ai_user?
+      return reject unless agent.created_by_id == current_user.id
+
+      # Attach the stream BEFORE activating routing. Orchestration::Matcher
+      # can pick this agent as soon as routing_expression becomes "true";
+      # broadcasts to agent:user:<id> in the window between the UPDATE
+      # committing and stream_from registering the subscription would land
+      # in a stream with no subscriber, leaving the new delegated task
+      # waiting on stuck recovery. Registering the subscription first means
+      # by the time the agent is matchable, this connection is already
+      # receiving broadcasts.
+      @session_agent = agent if agent.claude_channel_agent?
+      @subscription_token = SecureRandom.hex(8) if agent.claude_channel_agent?
+      stream_from "agent:user:#{agent.id}"
+
+      # Record this session's presence row and (re)activate routing under the
+      # agent's row lock, so a concurrent unsubscribe on the same shared agent
+      # serializes against this and cannot clear routing out from under a live
+      # session. routing_subscription_token is kept as the most-recent-session
+      # marker (debugging / grace-job arg); presence rows are the real gate.
+      if agent.claude_channel_agent?
+        agent.with_lock do
+          # Self-heal: clear crash-orphaned rows for this agent before counting
+          # so this session's activation isn't blocked from, and presence reads
+          # aren't fooled by, a dead process's leftover row.
+          AgentSubscription.reap_stale!(agent.id)
+          # Record the plugin-supplied session_id (stable across --resume) on the
+          # row. The HTTP unregister path (DELETE /api/v1/agent/:id) cannot know
+          # this connection's server-minted @subscription_token, so it correlates
+          # the exiting session to its row via session_id instead.
+          AgentSubscription.create!(
+            agent_id: agent.id,
+            token: @subscription_token,
+            session_id: params[:session_id].presence
+          )
+          agent.update_columns(
+            routing_subscription_token: @subscription_token,
+            routing_expression: "true"
+          )
+        end
+      end
+    end
+
+    # Periodic heartbeat callback: keep this session's presence row live. No-op
+    # once the row is gone (rotated by a newer subscribe, or reaped), so it can
+    # never resurrect a removed row.
+    def touch_presence
+      return unless @session_agent && @subscription_token
+
+      AgentSubscription.touch!(@session_agent.id, @subscription_token)
+    end
+  end
+end

data/app/channels/collavre/comments_presence_channel.rb

@@ -1,5 +1,12 @@
 module Collavre
 class CommentsPresenceChannel < ApplicationCable::Channel
+  def self.broadcast_channel_chips_changed(creative_id, topic_id:)
+    ActionCable.server.broadcast(
+      "comments_presence:#{creative_id}",
+      { channel_chips: { topic_id: topic_id } }
+    )
+  end
+
   def self.broadcast_shares_changed(creative_id, shared_user_id:, permission: nil, action: "updated", has_access: nil, can_comment: nil, has_access_changed: nil, can_comment_changed: nil)
     ActionCable.server.broadcast(
       "comments_presence:#{creative_id}",

data/app/controllers/collavre/admin/integrations_controller.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module Collavre
+  module Admin
+    class IntegrationsController < ApplicationController
+      before_action :require_system_admin!
+      before_action :load_definition!, only: [ :reset ]
+
+      Registry = Collavre::IntegrationSettings::Registry
+      Resolver = Collavre::IntegrationSettings::Resolver
+
+      def index
+        @grouped_settings = build_grouped_settings
+      end
+
+      def bulk_update
+        submitted = (params[:integration_setting] || {}).to_unsafe_h
+        restart_required_changed = false
+
+        Collavre::IntegrationSetting.transaction do
+          submitted.each do |key, raw_value|
+            value = raw_value.to_s
+            next if value.blank?
+
+            definition = Registry.instance.find(key) or next
+            # Mirror the index filter: keys hidden from the admin UI
+            # (admin_visible: false) are not editable via this form, so a crafted
+            # POST cannot write them.
+            next if definition.admin_visible == false
+
+            row = Collavre::IntegrationSetting.find_or_initialize_by(key: definition.key.to_s)
+            row.category = definition.category
+            row.value = value
+            row.save!
+
+            restart_required_changed ||= definition.requires_restart
+          end
+        end
+
+        flash[:notice] = t("collavre.admin.integrations.flash.updated")
+        flash[:warning] = t("collavre.admin.integrations.flash.restart_required") if restart_required_changed
+        redirect_to collavre.admin_integrations_path
+      end
+
+      def reset
+        Collavre::IntegrationSetting.where(key: @definition.key.to_s).destroy_all
+        redirect_to collavre.admin_integrations_path,
+          notice: t("collavre.admin.integrations.flash.reset_done", key: @definition.key)
+      end
+
+      private
+
+      def load_definition!
+        @definition = Registry.instance.find(params[:key])
+        # Keys hidden from the admin UI (admin_visible: false) are treated as
+        # non-addressable here too, so a crafted DELETE cannot reset them.
+        if @definition.nil? || @definition.admin_visible == false
+          @definition = nil
+          render file: Rails.root.join("public/404.html"), status: :not_found, layout: false and return
+        end
+      end
+
+      def build_grouped_settings
+        Registry.instance.by_category.sort_by { |category, _defs| category.to_s }.filter_map do |category, definitions|
+          visible = definitions.select { |d| d.admin_visible != false }
+          next if visible.empty?
+
+          [ category, visible.map { |definition| build_row(definition) } ]
+        end
+      end
+
+      def build_row(definition)
+        value = Resolver.get(definition.key)
+        source = Resolver.source_for(definition.key)
+        display = definition.sensitive ? mask_value(value) : value
+
+        {
+          definition: definition,
+          source: source,
+          display_value: display,
+          present: value.present?
+        }
+      end
+
+      def mask_value(value)
+        return nil if value.blank?
+        return "••••" if value.to_s.length <= 4
+
+        "••••#{value.to_s[-4..]}"
+      end
+    end
+  end
+end

data/app/controllers/collavre/admin/settings_controller.rb

@@ -10,6 +10,7 @@ module Collavre
         @mcp_tool_approval = SystemSetting.find_by(key: "mcp_tool_approval_required")&.value == "true"
         @creatives_login_required = SystemSetting.creatives_login_required?
         @home_page_path = SystemSetting.home_page_path
+        @home_page_path_authenticated = SystemSetting.home_page_path_authenticated
 
         # Account lockout settings
         @max_login_attempts = SystemSetting.max_login_attempts
@@ -93,23 +94,9 @@ module Collavre
           creatives_login_setting.value = params[:creatives_login_required] == "1" ? "true" : "false"
           creatives_login_setting.save!
 
-          # Home Page Path
-          home_page_path_input = params[:home_page_path].to_s.strip
-          if home_page_path_input.present?
-            normalized_path, error = validate_and_normalize_home_page_path(home_page_path_input)
-            if error
-              home_page_setting = SystemSetting.new(key: "home_page_path")
-              home_page_setting.errors.add(:base, error)
-              raise ActiveRecord::RecordInvalid, home_page_setting
-            end
-            home_page_setting = SystemSetting.find_or_initialize_by(key: "home_page_path")
-            home_page_setting.value = normalized_path
-            home_page_setting.save!
-          else
-            home_page_setting = SystemSetting.find_or_initialize_by(key: "home_page_path")
-            home_page_setting.value = nil
-            home_page_setting.save!
-          end
+          # Home Page Paths (unauthenticated default + authenticated override)
+          save_home_page_path("home_page_path", params[:home_page_path])
+          save_home_page_path("home_page_path_authenticated", params[:home_page_path_authenticated])
 
           # Account Lockout Settings
           max_attempts = params[:max_login_attempts].to_i
@@ -171,6 +158,7 @@ module Collavre
         @mcp_tool_approval = params[:mcp_tool_approval] == "1"
         @creatives_login_required = params[:creatives_login_required] == "1"
         @home_page_path = params[:home_page_path]
+        @home_page_path_authenticated = params[:home_page_path_authenticated]
         @max_login_attempts = params[:max_login_attempts].to_i.positive? ? params[:max_login_attempts].to_i : SystemSetting::DEFAULT_MAX_LOGIN_ATTEMPTS
         @lockout_duration_minutes = params[:lockout_duration_minutes].to_i.positive? ? params[:lockout_duration_minutes].to_i : SystemSetting::DEFAULT_LOCKOUT_DURATION_MINUTES
         @password_min_length = [ [ params[:password_min_length].to_i, SystemSetting::DEFAULT_PASSWORD_MIN_LENGTH ].max, 72 ].min
@@ -186,6 +174,23 @@ module Collavre
 
       private
 
+      def save_home_page_path(key, raw_value)
+        input = raw_value.to_s.strip
+        setting = SystemSetting.find_or_initialize_by(key: key)
+        if input.present?
+          normalized_path, error = validate_and_normalize_home_page_path(input)
+          if error
+            stub = SystemSetting.new(key: key)
+            stub.errors.add(:base, error)
+            raise ActiveRecord::RecordInvalid, stub
+          end
+          setting.value = normalized_path
+        else
+          setting.value = nil
+        end
+        setting.save!
+      end
+
       def validate_and_normalize_home_page_path(value)
         path = value.to_s.strip